The American Recovery Reinvestment Act and Health Care Reform Puzzle. Presentation Overview 2/27/2012

Transcription

1 The American Recovery Reinvestment Act and Health Care Reform Puzzle Carolyn Heyman-Layne Alaska HCCA Regional Conference March 1, 2012 Presentation Overview ARRA and HITECH Breach Reporting: When, How and to Whom? Two Pieces of the Compliance Puzzle Both related to healthcare Both have deadlines in the past, 2014 and beyond Enforcement affects all Patient Protection and Affordable Care Act (PPACA) Current Legal Status of PPACA Compliance Issues in PPACA Employer Side of PPACA 2 1

2 ARRA and HITECH ARRA: American Recovery and Reinvestment Act 2/17/2009 $19.2 billion for health IT Numerous stimulus opportunities HITECH: Health Information Technology for Economic and Clinical Health Act Title XII of ARRA Deals with many of the health information provisions including changes to HIPAA Provides incentives for EHR for individual providers and certain organizations 3 HITECH: What you need to know Health Information Technology for Economic and Clinical Health (HITECH) Act: HIPAA Breach Notification Minimum Necessary Restriction Requests EHR Requirements Marketing & Communications Business Associates Additional Guidance Forthcoming EHRs: Meaningful Use 2

3 The Road to 2014: For Better or For Worse Good Increased Funding Clarification of Grey Areas Increased Enforcement for Business Associates Better Access to Records More Efficient Healthcare Delivery Not So Good No Excuses Increased Enforcement for Business Associates Increased Documentation Requirements Still waiting (may receive guidance during this conference) HITECH Changes to Security Rule Annual Technical Safeguards Guidance Review and follow Don t follow and be prepared to explain Breach Notification Requirements Notice to Patients Notice to HHS Differs from Alaska breach notification requirements Still in interim form until March 2012 (any day now) 3

4 HITECH vs. AK PIPA: Breach Reporting HITECH Only covers unsecured protected health information Written notification More than 500 affected requires notice to media Notice within 60 days of discovery Specific notice requirements Notice to HHS or annual log of breaches Alaska Personal Information Protection Act Covers personal information if reasonable likelihood of harm Written or electronic notice More than 300,000 requires notice to media Requires reporting to AG even if no harm caused Make sure this is covered in business associate agreements and vendor contracts What is a breach? HITECH/HIPAA Acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA, which compromises the security or privacy of the PHI. Only applies to unsecured PHI, such as unencrypted data on a laptop, etc. AK Personal Information Protection Act (AK PIPA) Unauthorized acquisition, or reasonable belief of unauthorized acquisition of personal information that compromises the security, confidentiality or integrity of the personal information. Only applies to personal information : not encrypted or redacted; combination of name and identifying number (SSN, DL#, credit card or bank account, etc.) 4

5 Exceptions to Breach HIPAA/HITECH Secured PHI Unintentional, good faith acquisition, access or use by person working under authority of covered entity, if within scope of authority and no further use or disclosure. Disclosures within same entity, or between entity and business associate or OHCA, under same terms. Good faith belief that no information could have been retained. AK PIPA Encrypted or Redacted PHI Good faith acquisition by an employee or agent for a legitimate purpose, as long as information not further disclosed. You Have a Breach Reporting Breaches Internally Form for employees to provide facts and necessary information for investigation and breach notification Policy regarding reporting and non-retaliation Procedures for who should be notified (IT, legal, compliance) 5

6 You Have a Breach What do you need to know? Who: Who accessed/disclosed the info? Did they have authorization? What: What info was accessed/disclosed? Was it encrypted? Name SSN, other identifying #s (Alaska PIPA) PHI Contact information When: When was it accessed/disclosed? Is the breach a onetime event or ongoing? How: How did the breach occur? Could it happen again? Can it be addressed or mitigated? Why: Was it intentional? Was there a violation of policy? You Have a Breach Internal Process: Notify mitigating departments immediately IT, legal, front desk, etc. if you can stop or contain the breach, do it ASAP Make sure and report up the chain Keep facts confidential until confirmed Determine if affiliates or business associates need to be involved in breach assessment Internal Analysis: Was the information part of our records? What is the likelihood of further use or disclosure? What is the foreseeable harm? To the individuals To the organization 6

7 Conducting the Analysis Risk Factors: Nature of data breached Potential harm to reputation Potential for harassment or prejudice Potential for identity theft Number of individuals affected Whether the breach was intentional Whether the information is easily redisclosed Whether the individual acting within the scope of their position Ability to mitigate the harm Addressing and Mitigating Addressing Breaches Internally Investigate Analyze Mitigate Notify Sanction Train Addressing Breaches Externally Mitigate Document Notify: Patients, State AG, OCR, Partners Make sure your staff is knowledgeable about the facts and the mitigating efforts 7

8 Reporting is Required How Do We Do It? HIPAA/HITECH Written notification by first class mail, unless individual has agreed to electronic communication. Website or major media if insufficient contact info for more than 10 people. Media notification required if more than 500 affected. AK PIPA Written notification, or electronic if primary method of communication is electronic, or if other contact info is insufficient. Website and major media if insufficient contact info for even one person. Media notification if more than 300,000 affected. Reporting Details HIPAA/HITECH Within 60 days of discovery of breach. Must include: Brief description of breach including date of breach and date of discovery. Description of PHI involved. Steps individual should take to protect themselves. Brief description of mitigation, investigation and protection measures taken by entity. Contact info for questions, including toll-free phone, , website or address. AK PIPA In the most expeditious time possible and without unreasonable delay. Content of notice not directly addressed. 8

9 Mitigating Efforts Important to look at root cause to determine possible mitigation steps Human error can t prevent, but can remind and retrain The easier the solution, the less of an excuse The harder/more expensive the solution, the more analysis that may be necessary Need to explain why you don t take all possible mitigating steps Need to describe the steps that you do take Document, document, document! Possible Mitigation Efforts Information available on-site for patients/clients. Informational sessions for patients/clients. Review and revise compliance plan. Sanctions against employees. Training for all employees. Work with partners/business associates. New technology. Follow-up credit checks for patients/clients. 9

10 Other Things to Consider HIPAA/HITECH Notice to HHS Annual log of breaches Who is responsible? Covered entity. Delay for investigation? Final rule still to come. Anyone else we should notify? Funders, partners, etc. AK PIPA Notice to consumer credit reporting agencies. Who is responsible for notice? Information distributor or collector. Red flags rule. HITECH Changes to Privacy Rule Minimum Necessary: Limited Data Set Safe Harbor Patient Requests for Restriction on PHI EHR Requirements Accounting of Disclosures Expanded Right to Records in Electronic Format PHI and Funding No Sales of PHI Opt-out for Fundraising 10

11 The Role of Business Associates Business Associates Directly Subject to HIPAA Responsible to Government Responsible through Business Associate Contracts May Need to Update Business Associate Agreements New Clarification/Category of Business Associates Reporting Breaches Another Qui Tam? Patients now have potential financial benefit from reporting HIPAA breaches Civil Monetary Penalties distributed directly to harmed individuals Amount of CMP tied to level of intent New Enforcement Rights State Attorney Generals Audits 11

12 HITECH: More than just HIPAA Medicare Incentive Payments: Meaningful use of a certified EHR Submission of clinical quality measures Penalties for failure to adopt EHRs Additional HITECH Funding: Education Grants Training Research Indian Health Services Grants PPACA: 900 Pages and counting 900 x 100 pages of regulations = 90,000 pages 24 12

13 Health Reform: Acts I, II, III Patient Protection and Affordable Care Act (P.L ) Original legislation, enacted March 23, 2010 Health Care and Education Reconciliation Act (P.L ) Changes by House, enacted March 30, 2010 TRICARE Affirmation Act Potential for: Additional Federal Laws Corresponding State Laws Over 100 Pages of regulations and guidance expected per page of legislation 25 Main Topics Covered by Legislation Titles I & II: Health Care and Insurance Coverage Title III: Delivery of Health Care Title IV: Prevention and Public Health Title V: Health Care Workforce Title VI: Fraud and Abuse Title VII: Health Technology Title VIII: CLASS Act (Assistance for Seniors and Disabled) Title IX: Taxes and Fees (How are we paying for this?) Title X: Amendments 26 13

14 Health Reform: Issuing Policies Exclusions for pre-existing conditions prohibited (2010, 2014) Dependent coverage extended to 26 (2010) Annual limits initially restricted, eventually prohibited Lifetime limits not allowed Rescission not permitted Policy and renewal guaranteed Premiums can only be adjusted for region, tobacco use, age and family composition No gender discrimination 27 Health Insurance Exchange Health Insurance Exchange for individuals and small businesses Less than 100 employees until 2017 Administered by government agency or non-profit Benefits: Competitive market Common rules on pricing and offering Supposed to provide more information for consumers Makes changing employment easier 28 14

15 Health Reform and Individual Coverage Requirements (2014) Required to have qualified health plan or pay the price Tax penalty starts small ($95) and increases ($695) Per person, per year Families capped at 2.5% of income or 3X penalty, whichever is larger Some exemptions apply: financial, religious, American Indian/Alaska Native Subsidies (2014) Income between 133% and 400% of FPL Cost Sharing for individuals/families between 100% and 400% of FPL 29 Health Reform and Health Care Delivery Evidence Based Practice Care Coordination and Service Integration Increased focus on innovation Quality Improvement Maternal, Infant and Early Childhood Home Visitation Programs Primary Care enhancement Increased pay Medical homes Coverage of preventive services Community Wellness grants Healthy lifestyles incentives Immunization program 30 15

16 Improvements in Quality and Delivery Accountable Care Organizations look out for fraud and abuse issues Comparative Effectiveness Research Malpractice Reform Pilots Dual eligible care coordination National quality improvement strategy National prevention and wellness strategy focus on preventive services Enhanced reporting and collection of data 31 ACA Compliance Provisions Requires Compliance Program as a Condition of Participation in Medicare All providers must certify that they have an effective compliance program Regulations expected for various provider types, nursing home regulations already issued Exact date for programs to be in place is not yet clear Enforcement activity increased Flexibility for varying size providers Better to start sooner, rather than later 32 16

17 ACA Required Compliance Plan Must contain core elements established by HHS Secretary in conjunction with OIG OIG Compliance Program Guidance may be helpful until further guidance issued: Failure to have an effective compliance program constitutes reckless disregard, which is the definition of knowingly submitting a false claim. United States v. Merck-Medco Managed Care LLC, 336 F.Supp.2d 430, (E.D. Pa. 2004). 33 ACA Repayment and Disclosures Congress clarified obligation to report and refund Medicare and Medicaid overpayments: Now very clear that overpayments are to be reported and returned to Secretary, State, an intermediary, carrier or contractor as appropriate Must notify Secretary, State, intermediary, carrier or contractor in writing of reason for overpayment Must be done by later of: 60 days after identification Date any corresponding cost report is due Problem: When is it identified? What about investigation? Liability for anyone who knows of an overpayment and fails to report/return it 34 17

18 ACA Definitions Clarified Overpayment: Any funds that a person receives or retains under title XVIII or XIX to which the person, after applicable reconciliation, is not entitled under such title Person: Provider of services, supplier, Medicaid managed care organization, Medicare Advantage organization or Medicare Part D Prescription Drug Plan sponsor Qui tam original source relaxed: person has knowledge that is independent of and materially adds to the publicly disclosed allegations or transactions. 35 ACA Fraud and Abuse Enforcement Additional $350 million over next 10 years to fight fraud in the healthcare system Tougher sentencing for criminal activity Enhanced screening requirements Enhanced enrollment requirements Increased sharing of data across government 36 18

19 ACA Fraud and Abuse Enforcement Expanded overpayment recovery efforts HHS authorized to suspend Medicare/Medicaid payments pending an investigation of credible allegation of fraud (not defined) Greater oversight of private insurance Improper Payments Elimination and Recovery Act specifically authorized auditors paid on contingency 37 Constitutional Challenge Predictions What is going on now? Circuit court decisions vary To be heard by Supreme Court in March Decision predicted in June

20 Constitutional Challenge Predictions What is next? Severability issues will arise if individual mandate unconstitutional, how much of PPACA must be repealed? What about programs that have already started? Will this tear the whole Act apart? 39 Health Reform Resources The law: Federal Guidance Kaiser Family Foundation - State Guidance

21 Challenges for Employers Reporting Requirements: 1099 Requirement Businesses required to file 1099 with IRS for every vendor conducting a transaction in excess of $600. REPEALED!!!!!!!! W-2 Required to report aggregate cost of coverage Determining What Rules Apply Determining What Coverage Employees Are Choosing 41 The Rules for Employers If an employer chooses to provide health insurance to all employees, the health insurance must meet both of the requirements listed below to completely avoid a penalty. Insurance must pay for at least 60% of covered health care expenses for a typical population. Employee should not have to pay more than 9.5% of family income for the employer plan. Or it may choose to provide a non-compliant health insurance plan, which would result in a reduced penalty amount, but would not eliminate the penalties altogether

22 Determining How the Rules Apply # Description Penalties Cost 1. Provide PPACA compliant health coverage for all employees. 2. Provide limited health plan to employees. None Penalty A = $3,000/yr. x (# of full-time equivalent employees receiving the tax credit - 30) Cost of health insurance plan that pays for at least 60% of covered health care expenses, with employee cost limited to 9.5% of family income or less. Cost of limited health insurance plan for those employees who choose the plan + Penalty A. Penalty A Example 1: If Employer has 100 full-time equivalents and 80 select the employer plan and 20 select the tax credit for alternate coverage, then there would be no penalty because the number of employees receiving tax credit does not exceed 30. Penalty A Example 2: If Employer has 100 full-time equivalents and 50 select the employer plan and 50 select the tax credit for alternate coverage, then the penalty would equal $3,000 x (50-30) = $60,000. Penalty A Example 3: If Employer has 100 full-time equivalents and 10 select the employer plan and 90 select the tax credit for alternate coverage, then the penalty would exceed the total for Penalty B below ($3,000 x = $180,000) and so Penalty A would equal Penalty B: $140,000. Employer would pay this penalty in addition to the cost for the ten employees who selected the plan. 3. Continue to provide no insurance for employees. Penalty B = $2,000/yr. x (# of full-time equivalent employees 30) Penalty B Penalty B Example: If Employer has 100 full-time equivalents, it would pay $2,000 x (100-30) = $140, Guessing game Cost of fully PPACA compliant health plan < Penalty B = Implement compliant plan. Cost of fully PPACA compliant health plan > Penalty B = Conduct additional analysis of limited health plan costs. Estimated cost of limited plan + Penalty A < Penalty B = Offer limited plan. Estimated cost of limited plan + Penalty A > Penalty B = Offer nothing.???????????????? 44 22

23 Other Employer Challenges Challenges: Businesses with less than 50 employees not required to provide insurance, but employees will still require coverage Confusion over requirements and how to apply them Employers that offer coverage will have to provide a free choice voucher to employees with incomes less than 400% FPL whose share of the premium exceeds 8%, but is less than 9.5% of their income???? Rules vary for size of employer, number of employees receiving tax credits, number of employees in exchange Growth many credits phase out as your business size increases, or your salaries increase Lost productivity with employees figuring out insurance options 45 Questions? heyman-layne@alaskalaw.pro (907) Sedor, Wendlandt, Evans & Filippi, LLC 46 23